Silobreaker Daily Cyber Digest – 14 March 2016
The Bangladesh Account Heist
Last week hackers stole $81 million from the Bangladesh central bank’s foreign account, held at the Federal Reserve Bank of New York.
It’s believed that the attackers gained access to the Bangladesh central bank’s systems and may have used malware to monitor the actions of staff, a technique used by groups such as Carbanak.
Having obtained the bank’s SWIFT code, the hackers made multiple high value electronic transfers from the bank’s Federal Reserve account to front companies in Southeast Asia. Although four transfers totalling $81 million were approved, the fifth, to a supposed Sri Lankan non-profit called the “ShalikaFoundation”, looked suspicious.
This spelling mistake led Deutsche Bank to investigate the “Shalika Foundation”. Finding that it didn’t exist, they alerted the Bangladesh bank, who kicked the hackers from their systems and cancelled the remaining transactions, which were in excess of $850 million.
Fireye’s Mandiant team is currently investigating. The Federal Reserve claim that their own systems were not compromised at any point.
Malicious Bitcoin extension
A Chrome browser extension called Bitcoin Wisdom Ads Remover has been discovered stealing user’s bitcoins. The extension supposedly removes ads at BitcoinWisdom.com, a site for bitcoin related statistics, but actually replaces the QR wallet codes used to address transfers with its own.
The app targeting users of the Bitstamp, BTC-E and Hashnest Bitcoin services, has now been removed from the web store.
Staminus Communications, a hosting service that provides websites with DDoS protection, was taken down in spectacular fashion last Friday.
Initial claims that their service was unavailable due to ‘an event cascade across multiple routers’ proved to be wishful thinking, as hackers leaked internal data, customer payment details, contact information, card numbers and (hashed) passwords. The intruders apparently reset all of the company’s routers to their factory defaults, and left this mocking set of ‘Tips when running a security company’:
- Use one root password for all the boxes
- Expose PDU’s to WAN with telnet auth.
- Never patch, upgrade or audit the stack
- Disregard PDO as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
Craig Smith of Nullcon has designed an attack in which a car infected with malware, transmits an infection to the computers in a mechanic’s workshop. These computers, in turn, will pass the malware on to other cars that arrive for servicing.
This malware is a newer version of a proof-of-concept that Smith introduced in 2015. This time the malware has machine learning capabilities and does not require in-depth knowledge of coding or automotive security.
Powersniff is a file-less variant of the Ursniff family that’s currently included in a malicious spam campaign. As file-less malware, Powersniff is particularly difficult to trace. Infection occurs via a macro included in an attached document. Running the macro will execute a hidden instance of PowerShell and a script that reconnoitres the infected system.
The malware will look for systems involved in sales and POS, or those with links to a list of financial institutions. It appears to deliberately ignore systems involved in the running of schools, hospitals, colleges or health services. This information will be sent to C&C servers, which at this time are unresponsive.
Trojan: Win32/Moscupin is a malicious software with connections to adware sites, it hijacks a user’s browser searches and re-routes them towards infected websites and malware landing pages.
Moscupin has the capacity to make changes to your browser settings, as well as modifying system settings so that potentially unwanted programs can be installed without authorisation. The trojan is thought to have a number of distribution channels, including popular torrenting sites and spam email campaigns.
The attacks were initiated in protests against the police shooting of Abdi Mohamed, a local teenager who is currently in a coma after police shot him three times following a disturbance. New World Hackers vowed to continue their protests until the implicated officers are arrested and ‘justice is served’.
Surge in Locky Distribution
Locky ransomware has seen a huge intensification in its distribution in the last week. First observed in February 2016, reported cases of Locky infections had been fairly low in the past weeks, before a recent spike in activity.
It is thought that the ransomware is now being distributed via the same botnet that helped spread the Dridex trojan. It is currently being distributed in a spam email campaign, hidden in an infected JS attachment. The botnet is capable of sending out 200,000 emails in an hour, which explains the recent spike in Locky infections.
Ottowa Hospital Ransomware Attack
Four computers at a major Canadian hospital were infected with a currently unidentified ransomware over the weekend. IT services at the hospital claim they isolated and wiped the affected machines before the malware could spread, and before any patient information was compromised.
The hospital has strict backup protocols, which allowed them to successfully recover from the attack. This is yet more evidence that conscientious data backups are the most effective way of fighting off ransomware attacks.
Burrp Website Compromised
The Angler landing page seeks to install programmes such as TeslaCrypt onto user’s computers, taking advantage of recent Windows and Adobe vulnerabilities.
The Silobreaker Team